为什么我无法阻止互联网访问(iptables)?

为什么我无法阻止互联网访问(iptables)?

我正在使用 iptables 设置我的 Linux 服务器的防火墙。
为了测试,我无法保护本地 Web 服务器(8080 端口)免受 Internet 访问。

  • OS
    OMV6(6.0.16-1) 基于 Debian 的 Linux
  • 连接:
                    Internet
                        |
LinuxServer(pppoe)----Router(pppoe-relay)
                        |
WorkPC------------------+
  • 接口
2: enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0e:c4:cf:2e:98 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.100/24 brd 192.168.0.255 scope global enp2s0
       valid_lft forever preferred_lft forever
    inet6 fe80::20e:c4ff:fecf:2e98/64 scope link
       valid_lft forever preferred_lft forever
3: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1454 qdisc pfifo_fast state UNKNOWN group default qlen 3
    link/ppp
    inet x.x.x.x peer x.x.x.x/32 scope global ppp0
       valid_lft forever preferred_lft forever
  • 我做了什么
  1. 我添加了规则以删除来自 ppp0 的所有输入数据包:
root@lxs:/home/aaa# iptables -L INPUT -vn
Chain INPUT (policy ACCEPT 3625 packets, 1238K bytes)
 pkts bytes target     prot opt in     out     source               destination
 4513  638K ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0
  460 25241 DROP       all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0
  1. 监控数据包。同时从 LTE 访问 Web 服务器(8080 端口):
    x.x.x.x是 的 IP 地址ppp0
root@nas:/home/bjn# tcpdump -i ppp0 -n port 8080
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on ppp0, link-type LINUX_SLL (Linux cooked v1), snapshot length 262144 bytes
15:59:20.474424 IP 133.106.52.47.65368 > x.x.x.x.8080: Flags [S], seq 1901489667, win 65535, options [mss 1300,nop,wscale 5,nop,nop,TS val 3868697852 ecr 0,sackOK,eol], length 0
15:59:20.474678 IP x.x.x.x.8080 > 133.106.52.47.65368: Flags [S.], seq 3559979952, ack 1901489668, win 65160, options [mss 1414,sackOK,TS val 3483431673 ecr 3868697852,nop,wscale 7], length 0
15:59:20.542349 IP 133.106.52.47.65368 > x.x.x.x.8080: Flags [.], ack 1, win 4105, options [nop,nop,TS val 3868697925 ecr 3483431673], length 0
15:59:20.558901 IP 133.106.52.47.65368 > x.x.x.x.8080: Flags [P.], seq 1:598, ack 1, win 4105, options [nop,nop,TS val 3868697927 ecr 3483431673], length 597: HTTP: GET / HTTP/1.1
15:59:20.559000 IP x.x.x.x.8080 > 133.106.52.47.65368: Flags [.], ack 598, win 505, options [nop,nop,TS val 3483431758 ecr 3868697927], length 0
15:59:20.619981 IP x.x.x.x.8080 > 133.106.52.47.65368: Flags [P.], seq 1:646, ack 598, win 505, options [nop,nop,TS val 3483431819 ecr 3868697927], length 645: HTTP: HTTP/1.1 200 OK
15:59:20.621516 IP x.x.x.x.8080 > 133.106.52.47.65368: Flags [.], seq 646:1934, ack 598, win 505, options [nop,nop,TS val 3483431820 ecr 3868697927], length 1288: HTTP
15:59:20.621763 IP x.x.x.x.8080 > 133.106.52.47.65368: Flags [.], seq 1934:3222, ack 598, win 505, options [nop,nop,TS val 3483431821 ecr 3868697927], length 1288: HTTP
15:59:20.621768 IP x.x.x.x.8080 > 133.106.52.47.65368: Flags [P.], seq 3222:4510, ack 598, win 505, options [nop,nop,TS val 3483431821 ecr 3868697927], length 1288: HTTP
15:59:20.622514 IP x.x.x.x.8080 > 133.106.52.47.65368: Flags [FP.], seq 4510:5152, ack 598, win 505, options [nop,nop,TS val 3483431821 ecr 3868697927], length 642: HTTP
  • 我得到的结果
    显示来自互联网的访问没有被阻止。有人可以帮忙吗?

相关内容